The problem with privacy

Ryerson has guidelines for how they keep your personal information safe and out of reach, but proper precautions are not always taken. News Editor Carolyn Turgeon looks at how safe your information really is

Every student has one; a nine-digit identifier assigned at random the moment they apply for post-secondary education.

It’s your username to sign into Blackboard, the string of numbers on your OneCard and a sequence you’ll probably write out a thousand times before you graduate.

The frightening part is that the number, and the information it links to, could potentially be used to rob you of your money and identity.

The Canadian Anti-Fraud Centre (CAFC) website reported nearly 8,000 identity theft complaints by the general public in 2006, with the estimated monetary loss being at $16,283,000.

Although there are no statistics focusing on student identity theft, there are plenty of initiatives out there warning young people to protect themselves from fraud.

The CAFC is one of them, providing different ways to notice and prevent identity theft.

“Keep items with personal information in a safe place,” lists one of the points on the website. “An identity thief will pick through your garbage or recycling bins.”

It continues to say you should rip or shred any forms, statements, offers and applications before throwing them out, in case they contain personal information that can identify you in any way.

Your student number would count as one of those pieces of personal information. Given the right access, it can be used to find all of the information the university holds on you: personal, financial and academic. Gaining that access is made easier still when your number is accompanied by further information such as your name, address, phone number and other information most students wouldn’t want just anyone seeing.

But even alone, anyone who has seen your student number could pick up a Short-Term Withdrawal Form and hand it into admissions in your name. With only your name and student number, some jerk has just dropped you out of school for a semester, and now you have to scramble to fix it.

Ryerson policy asks anyone handling your information to dispose of it securely. In fact, it says so right on a document the Eyeopener obtained that contained a student’s name, their student number, program, course information, instructor’s name and signature, student signature of consent for nomination, their mailing address, and the date.

The document was a Faculty of Arts’ nomination form for essay prizes in Liberal Studies Courses signed by history professor Arne Kislenko. Printed on the bottom was a reminder from Ryerson’s Information Protection and Access Policy [IPAP] for Restricted Information to handle it with care. IPAP requires documents that include personal information, such as a student number, to be “used, stored, and destroyed securely.” Typically that means shredding, not tossing it in the recycling bin as Kislenko may have done.

Kislenko, a former intelligence officer, said he wouldn’t normally make a mistake, even a minor one like this.

“I shred everything,” he said. “I used to work in the business of keeping secrets secret, it is fairly standard operating procedure.”

He admitted that he wouldn’t remember off the top of his head what happened with the forms and why they wouldn’t have been shredded, but that he had no intention to reveal any student information.

Normally, documents put out for shredding are kept in secured, locked bins and then put through to the master shredder.

“If it was me, then it’s my bad,” he said. “That’s fairly minor, to be honest.” He pointed out how easy it is to access someone’s student number, by looking at their test paper or peeking over their shoulder at a form. “I probably wouldn’t have shredded it though, as it’s pretty innocuous [information],” said Kislenko. “I think everything has to be viewed within reason.“ He said there’s only so much you can do in terms of security. “It really depends,” he said, referencing the university’s general policies on information, but not referencing any protocol for information viewed as low risk as a student number.

David Goodis, director of legal services at the Commissioner’s office, said he wouldn’t refer to a student number as low risk.

“A student number, though it might on its face appear innocuous, is something we consider particularly sensitive,” said Goodis.

It can be linked to the name, address, phone number, test scores and other quite sensitive personal information if given the correct access. Ryerson, like other universities, has been covered by the Freedom of Information and Protection of Privacy Act (FIPPA) since 2006.

“If a student number was carelessly disposed of, that would be a breach of the act,” said Goodis. “The more information that’s revealed, the more seriously it can be considered.”

FIPPA is merely administrative law, not criminal, so any investigations would be internal. In a case such as this, the Commissioner’s office would investigate to see if the act has been breached and make recommendations of what to do in the future.

“I wouldn’t put it on par with medical and financial information, but it’s hard to call it innocuous because of its ability to link [to all other information],” said Goodis.

He remembered one precedent in which a student’s information had been submitted to the Golden Key Honour Society at Ryerson. The student was upset that information had been shared without his consent, but in the end the IPC investigation had concluded that Ryerson was not guilty of any mishandling of personal information according to FIPPA.

The Eyeopener has found breaches of personal information security before. In 1990, The Eyeopener found confidential documents and the administration vowed to never leave sensitive information lying around agian.

However, in 1997, The Eyeopener found numerous receipts from the Hub in an open garbage in the subbasement of Jorgensen Hall. These slips contained student numbers and residence information.

In 2007, boxes labelled “shred” and “confidential” were found lying around an empty, unlocked office. The boxes contained pay stubs, grades and tenure reports. In 2009, a computer error exposed the name, gender, date of birth, student number, address and social insurance number of 600 students for nearly a month.

After the 2007 incident, Heather Driscoll, Ryerson’s information and privacy coordinator, said that anything that would offer potential access to another person’s information would be considered a privacy breach.

However, Driscoll says it’s difficult to determine the risk of someone else gaining access to your student number and mailing address, the most private parts of the document found near Kislenko’s office.

“In general though, if the form contains personal information, we’d encourage people to look at that information and destroy it in a secure method,” she said.

As far as the consequences of this information breach, Driscoll was more concerned about the reaction of students involved.

“Even if there is no significant risk of harm it still might be a reputation and trust issue,” she said. “We might encourage the faculty member to notify the [student whose information was involved].”

Through each breach The Eyeopener has uncovered, the response from the administration has been much the same: to look at IPAP. Driscoll refers to IPAP as an outline for all employees as to what their responsibilities are when it comes to information.

The document, found on the privacy page of the Ryerson website, references the university’s commitment to protecting personal information, teaching and research records, law enforcement, solicitor-client labour relations and other unspecified types that the policy puts under the term “restricted information.”

The rest of the page mainly references the university under FIPPA and their IPAP procedures. The procedures in question can be found on the Ryerson website, however they’re vague when it comes to dealing with specific personal information handling, such as a form with a student’s number.

The policy and procedure are heavy with legal jargon, references and impressive wording, but you cannot look to them for what to do in a specific situation or where the line is drawn to separate risk levels and what should be done for each instance.

Driscoll’s office does not police the university for privacy and information violations, but investigates when potential problems are reported and provide advice on how to contain the situation.

“If we determine that there’s a significant risk of harm, we provide outreach to the individuals affected,” she said. In that case, which Driscoll describes as rare, they notify the Information and Privacy Commissioner of Ontario’s office.

Keith Alnwick, Ryerson registrar, says even though a student number in itself does not necessarily give access to any other information, he still agrees that the student number is regarded as private just like any other personal information the university houses. “All the staff have signed confidentiality agreements and understand quite clearly what the FIPPA requires,” said Alnwick. All this personal information is housed on the university’s electronic network, to which access is granted by the registrar’s office on a need-to-know basis.

Those need-to-know workers don’t just include high-level administration staff. Students in the work-study program can be granted access if their job requires finding contact information for alumni or donors. The access is then passed along to the Computing and Communication Services (CCS), run by director Brian Lesser.

Even though this relationship between departments controls the access of information, and CCS’ firewalls alert any breach on Blackboard or RAMMS, Alnwick is not opposed to taking every precaution.

“I’d love to shred everything because I think the more that’s disposed of the better,” said Alnwick. “When in doubt, shred.”